On Wed, 2008-05-07 at 10:04 -0600, Nicholas Leippe wrote:
> > Sometimes you can get less technical people to install an email cert
> > when you tell them that sending a password by email (or any sensitive
> > information) can be less secure than posting it on the internet since
> > email bounces around to more servers.
>> Merely *can be* less secure? No, it *is not* secure, period. Same for
> simply "posting it on the internet", in most of the ways that could be
> interpreted by the layman.
>> I like to say that there are no degrees of insecurity.
I disagree. Security is merely assessing risks and mitigating those that
are worth mitigating. Clearly some behaviors are riskier than others and
are therefore less secure. OTOH, some things are not worth securing
because the potential loss is less than the cost of the additional
security.
So for example, at my company we routinely send passwords via email and
IM. The catch is that the servers are hosted entirely in house and
nothing goes over the Internet that's not on a VPN, so really it's not a
big deal. Sure, S/MIME or GPG would be more secure on top of it but I'm
not convinced the cost of implementing it would be worth it.
> I still think it's important, and if it's important, is worth doing and worth
> mentioning. Kind of like trying to get a child to brush their teeth. It may
> not be easy at first, or fun, but is important and worth it in the long run.
My kids love to brush their teeth. Maybe it's because I let them eat a
big chocolate bar afterward. :)
Corey